Alok Kumar

Good day to all from me and my colleague KrishnaKanth. I'm Alok Kumar, group project manager for Infosys IT, with 20-plus years of experience in .NET, open source technologies, ERP, and testing. In addition to my portfolio, I also anchor the DevSecOps initiative for Infosys IT.

KrishnaKanth B N

Hi, I'm KrishnaKanth, senior technology architect at Infosys, with over 16 years of experience in Java/J2EE development, SDLC, and DevOps tools consulting. I'm currently leading the Infosys DevSecOps platform development and implementation.

Alok Kumar

Before we move forward, we would like to thank the DOES team for giving us the opportunity to present our experience and learning in this esteemed forum. Today we will talk about the story of DevSecOps transformation at scale in Infosys IT, the challenges we faced, the solutions that worked out for us, and the results from this journey that have made our value delivery predictable, enhanced, and proactive.

We represent Infosys, an organization with around 345,000 passionate people, close to 17.5 billion US dollars in revenue, across 50-plus countries. In our journey of 40 years, from being a disruptor to a leader, we have always gone back to our roots and encapsulated what we do, which led to our definition of purpose: to amplify human potential and create the next opportunity for people, businesses, and communities.

Each one of us is a navigator. We are excited for a future that is digital and filled with opportunities, and committed to navigating our clients through their digital transformation journey, steering the way with our strategy and innovation guided by our values.

Infosys IT is a highly energized and dedicated team with 1,200-plus people, scattered into teams across 15 countries, supporting 60-plus subsidiaries, and enabling 1,000-plus rules and policies for compliance adherence on a continuous basis, with Live Enterprise as a central theme.

Live Enterprise is Infosys' vision to position our 345K workforce at the sensing, feeling, responding core of the company. It is envisioned to enable Infosys with the ability to seamlessly interact with, and continuously learn from, our clients' and partners' ecosystem.

To realize this vision, Infosys IT embraced a massive transformation journey to reimagine our employee experience, our core business processes, and all our enabling IT systems and infrastructure. This means focusing on personal creativity, nurturing neural agency in process, ensuring just-in-time data for decision-making, driving hyper-productivity, and facilitating continuous learning to instill new patterns of sentient behavior.

The transformation triggered a major disruption in the Infosys IT tools and technology landscape of over 200 applications that were in operation over 30 years. During this journey, legacy systems had to be modernized, and many new systems had to be created and evolved gradually with time and based on business challenges faced. For instance, our mobile app InfyMe itself gets 10 million hits daily.

With this scale, our systems are the digital backbone for the organization. When the pandemic struck, quick turnaround for changes in processes for work from home was the acid test for Live Enterprise. Our systems and processes had to undergo quick change for work from home, and Infosys IT enabled the changes through DevSecOps with quick turnaround and good quality deliverables.

To understand how we did this at scale, we need to understand the digital transformation and agile DevSecOps journey of Infosys IT. We faced numerous challenges in this transformation journey. We will see a few of them now.

The old shop comprised of .NET and SQL technologies, primarily with point tools and custom solutions for building and releasing applications. Our testing was manual. For build and release, we used many homegrown custom tools. For the release processes, we used a custom release management system, which notified the testing team and finally provided sign-off to release artifacts.

These individual tools always worked in isolation and needed context switches and manual handshakes, leading to inefficiencies. These tools were also built on legacy technologies, and as part of the Live Enterprise transformation, even they needed to be modernized.

The cost to maintain, operate, and modernize these individual tools, and to integrate all of them, was a big overhead. It was hard to govern the use of these tools. Lack of integration between them affected traceability between artifacts. This also led to limited unified visibility; making people adopt these tools consistently was a challenge.

As part of transformation, many technologies and tools had to be experimented with. The tools ecosystem was not supportive for this experimentation and innovation, and it created a dependency on select teams to own and use these tools. To support the new tools and technologies, a lot of redundant and manual configuration scripting was required.

Stakeholders in the delivery value stream often struggled with lack of predictability due to delayed feedback, and that also increased cost of rework. Some of these tooling investments had to be rationalized and some of them augmented. All of these led to the overall delivery being unpredictable, reactive, and inefficient. This characterized the beginning of our digital transformation.

For this transformation, speed of delivery was important, and the logical first step was to move from waterfall model to agile. We had a tailored agile program for Infosys IT and the business partners. More than 1,000 employees were trained through this program. This was followed by agile assessment framework definition and designed certifications. We today have 50-plus certified Scrum Masters.

Apart from these process- and people-specific interventions, we were clear that a scalable DevSecOps approach was needed, as the old homegrown release tools and manual testing could hinder the speed of digital transformation. This transformation triggered the movement from .NET to open source technologies. We had identified several new open source technologies for digital transformation.

There were 200 applications with more than 1,000 components requiring 10K builds per month and running 50,000 test cases per month. Automation for DevSecOps had to keep up with the speed at which new technologies were being standardized. Ease of adoption for DevSecOps was critical to manage the scale.

As we were continuously learning and evolving the new tech stack, we needed agility to add new technologies and change tools for CI/CD/CT on the fly. With agility and speed, we also needed governance with common habits and routine across teams, and visibility to adoption of basic practices. This was a critical decision point for us, and at this juncture Infosys DevSecOps Platform gave us the ability for a self-service, scalable, and well-governed platform.

Now KrishnaKanth, over to you for talking about the solution that helped Infosys IT transform at scale.

KrishnaKanth B N

Thanks, Alok, for sharing the challenges in the Infosys IT landscape. When we talk about DevSecOps adoption, and that too at scale, these are some of the classic challenges that Alok just talked about, that we typically see. It is easy to set up a DevSecOps pipeline for one team. The team can acquire the required skills, choose the tools that are best suited for them, and write the scripts and automation that they need.

But when talking about an entire portfolio with thousands of components, each having their own types of delivery processes, cutting across diverse technologies and tools, it becomes very challenging to standardize and govern the implementation of processes and tools. Without standardization and governance, a lot of investment is needed to set up and maintain multiple tools, integrations, and customized processes, and also maintain isolated implementations as well.

To add to this, this diversity in the system makes it highly difficult to gain visibility into the problems and performance of development, QA, and all teams involved in the value stream. Any small change required will lead to a lot of manual interventions and impact in several areas. What Infosys IT needed was an enterprise-grade platform, and Infosys DevSecOps Platform took the requirement perfectly.

What is Infosys DevSecOps Platform, or IDP? It is an enterprise-grade, cloud-first DevSecOps solution that provides a platform approach for distributed agile and DevOps transformation with quality, speed, and at scale. Automation across the agile software delivery lifecycle was key for Infosys IT to rapidly evolve and innovate, and adopt modern engineering practices. IDP helped Infosys IT to adopt SDLC automation and achieve higher levels of agile and DevOps maturity.

IDP is primarily built on five key pillars and the principle of co-creation. Firstly, let us look at how IDP helped in simplifying and accelerating adoption in Infosys IT. The platform comes with no-code DevSecOps pipelines for over 25-plus technologies and integrates with over 100-plus industry-standard open source and commercial tools.

For novice users, the platform comes with an abstracted visual interface to configure and manage pipelines. The entire DevSecOps pipeline can be configured in a completely scriptless manner. The platform is cloud native, and it also supports DevSecOps in a hybrid cloud ecosystem as well. Infosys IT has several applications with deployment targets spread across on-premise and cloud infrastructures. IDP helped in touchless deployments across all these hybrid environments, and IDP itself is a microservices-based platform that runs on a scalable container orchestration platform like Kubernetes.

In the security and governance area, IDP's granular role-based access controls helped in onboarding various Infosys IT stakeholders into the DevSecOps workflows and made them actively participate in shift-left security and compliance-related actions. The predefined templates in the platform standardized the engineering practices.

IDP also extends itself into the observability area, where the platform can monitor and observe the applications that are released through the pipelines. It integrates with various monitoring tools and offers several metrics to track and act on ensuring reliability of applications. It has powerful logging, telemetry, and reporting built into it, due to which it makes the automation completely auditable and ITG-compliant.

The AI/ML insights in the platform offer predictions and recommendations on various areas such as developer analytics, infrastructure utilization, release predictability, application hotspots, anomalies, et cetera. Telemetry insights and metrics from the platform guide the user in improving the habits and routines and making the behavior and processes more sentient. This made it significantly easy to onboard thousands of components with ease. It also made the teams proactive to address the issues highlighted early through these insightful metrics, and it made the application delivery fully predictable.

Then, with the tools and technology landscape undergoing major transformation to suit the new-age application architectures, it became imperative for the platform to be ready to support any new tool or technology that entered the landscape. While IDP already supported a rich set of tools and technologies, it also offered a highly extensible plugin framework that allowed teams to onboard newer tools and technologies rapidly. IDP in itself is built on Live Enterprise principles, and it possesses capabilities to act as a key enabler towards a sentient DevSecOps tooling ecosystem.

This is how IDP plays a vital role in the DevSecOps tooling ecosystem, complementing the existing solutions and existing tooling investments, and elevating the teams to move from pipeline-based tooling into an enterprise-grade DevSecOps platform. It helps in making systems, processes, and experiences more sentient with Infosys Live Enterprise framework principles such as proximity to source, zero latency, instant simulation, among many others.

Plug-and-play capabilities and the modular nature of IDP helped Infosys IT use certain capabilities of the platform as they moved in their DevSecOps journey. The teams that started with pipeline-based tooling were guided through this platform to move into a high-maturity state that can be characterized by cognitive automation; enhanced and codified SecOps and DataOps practices; entire value stream management analytics; environment management; and metrics-driven visibility and governance.

This journey is characterized by self-service mode for teams to onboard themselves without the need to learn or acquire DevSecOps skills or depend on DevSecOps experts. The platform also democratizes extensibility and makes it possible for teams to extend its capabilities in self-service mode. The platform approach standardized the tools and automated the processes, and it shifted left the security practices, making the applications more secure. By virtue of IDP integrating with multiple tools, it provided a single pane for visibility across the value stream.

IDP takes a tools-agnostic and technology-agnostic approach to cater to the needs of enterprise teams. This was put to best use in Infosys IT as it was adopted across legacy, package, mobile, data, cloud, and hybrid application areas.

In this way, IDP was adopted for this massive transformation of agile and DevSecOps practices at Infosys IT. In the initial phase, applications including the new technologies chosen for modernization were readily onboarded for basic continuous integration practices comprising build automation, code-quality checks enabled with tools like Lint and SonarQube, et cetera, and automated deployments were enabled for lower environments.

In the next phase, we targeted integration with the homegrown release management solution for additional governance, and we also extended the CI/CD capabilities to perform cloud and container-based deployments, along with automating database and infrastructure deployments. During this shift, many tools were realigned on the fly, thanks to the ready support that the platform offered. Multiple orchestration platforms were evaluated, experimented, and finalized with ease. Likewise, artifact repositories, governance tools, and security tools underwent rationalization alongside the CI/CD/CT journey without impact on the DevSecOps automation.

Now we already have 10 new technologies fully onboarded with over 200 applications and 1,000-plus pipelines performing over 400 releases per month. The automation consistently rolls out 10K-plus builds per month and 50K-plus automated tests that run as part of the pipelines. As a result, the journey continues in accordance with our Infosys automation maturity framework. The next step is that the framework governs and provides the vision using which we moved from point tools to integrated platforms and are now working on making it fully driven by data and enabling cognitive abilities.

The future is to make this DevSecOps ecosystem fully autonomous, with smart, intuitive automation led by artificial intelligence. SRE and live engineering are extensions of IDP in order to make the DevSecOps ecosystem more reliable and sentient.

Over to you, Alok, to talk about the results and conclude this session.

Alok Kumar

Thank you so much, Krishna. How did this platform approach help Infosys IT in this transformation at scale? Here are the results. With the adoption of DevSecOps at scale with IDP, we were able to implement the process changes needed for pandemic work from home within a few days. For our mobile platform InfyMe, 94% of Infosys employees were enabled within a few days with work from home. Quick turnaround due to this transformation at scale helped the organization align to changes needed for the pandemic so quickly.

The touchless end-to-end automation adopted for DevSecOps of over 10 technologies on over 200 applications has resulted in 2x productivity increase. Thousands of pipelines running on the platform, with over 200K builds happening through the platform till date, showed 4x increase in velocity, 50% reduction in tickets, and 75% improvement in lead time. This also has brought down turnaround time significantly in service testing, regression testing, and cloud releases.

A few other engineering metrics of interest are the improvement in code quality and continuous testing adoption by about 20%, and also increase in automated deployment by four times. The metrics and reports from IDP also are critical in automating the agile maturity assessment. We have been able to double the rate at which maturity assessments are done. The metrics are also used to drive and track the KPIs of the leaders and the management community across the portfolio.

Stay safe. Stay healthy. Thank you so much for your patient hearing. Thanks.